How does it estimate crack time?

Using the zxcvbn algorithm — it checks for dictionary words, common patterns (dates, keyboard sequences, repeated characters), and applies scoring based on pattern entropy. Crack time is shown at offline-fast (10^10 guesses/sec) and online-throttled (100/hour) attack rates.

Does it check if the password has been breached?

It can check the Have I Been Pwned API using k-Anonymity: only the first 5 characters of the SHA-1 hash are sent, and the full password never leaves your browser.

What makes a password actually strong?

Length is the primary factor — every additional character multiplies the search space. Randomness is second — human-chosen 'complex' passwords follow predictable patterns. A random 16-character password is always stronger than a memorable 20-character pattern.

Password Strength Checker

DevTools Surf

About Password Strength Checker

Password Strength Checker preview - Security / Crypto tool

Analyze password strength with recommendations. Part of the DevTools Surf developer suite. Browse more tools in the Security / Crypto collection.

Use Cases

Evaluate a password's real-world crack resistance before using it on a sensitive account.
Test the password strength scoring in a form before integrating it into a user-facing signup flow.
Demonstrate the weakness of pattern-based 'complex' passwords vs. random high-entropy passwords.
Check if a proposed policy (minimum 12 characters, mixed case) produces measurably stronger passwords.

Tips

Don't rely on character complexity rules alone — 'P@ssw0rd!' scores high on many checkers but is trivially guessable because it matches a known pattern.
Check the estimated crack time at different speeds (offline attack, online throttled) — online services with rate limiting provide very different security than an offline hash dump.
Use the checker to validate passwords your users submit at signup, not just to generate strong passwords — weak user-chosen passwords are the most common breach vector.

Fun Facts

NIST's 2017 guidelines (SP 800-63B) officially abandoned mandatory periodic password changes and complexity requirements (uppercase/number/symbol), determining they increase burden without improving security. Length became the primary recommendation.
Have I Been Pwned, launched by Troy Hunt in 2013, maintains a database of 13 billion breached passwords. The k-Anonymity API allows checking a password hash prefix without exposing the full hash — used by 1Password, Firefox Monitor, and others.
zxcvbn, the password strength estimation library built by Dropbox (2012), estimates crack time by recognizing patterns humans use: keyboard walks (qwerty), dictionary words, dates, and repeated sequences — giving far more accurate estimates than character-set complexity scoring.

FAQ

How does it estimate crack time?: Using the zxcvbn algorithm — it checks for dictionary words, common patterns (dates, keyboard sequences, repeated characters), and applies scoring based on pattern entropy. Crack time is shown at offline-fast (10^10 guesses/sec) and online-throttled (100/hour) attack rates.
Does it check if the password has been breached?: It can check the Have I Been Pwned API using k-Anonymity: only the first 5 characters of the SHA-1 hash are sent, and the full password never leaves your browser.
What makes a password actually strong?: Length is the primary factor — every additional character multiplies the search space. Randomness is second — human-chosen 'complex' passwords follow predictable patterns. A random 16-character password is always stronger than a memorable 20-character pattern.

Related Security / Crypto Tools

Hash Generator v2 HMAC Generator v2 JWT Encoder Bcrypt Hash Tester HMAC Generator Password Strength Analyzer TOTP / 2FA Generator SAML Response Decoder